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ABSTRACT 

We present a variation of the modular algorithm for comput- 
ing the Hermite Normal Form of an Ox-module presented 
by Cohen [2], where Ox is the ring of integers of a num- 
ber field K. The modular strategy was conjectured to run 
in polynomial time by Cohen, but so far, no such proof was 
available in the literature. In this paper, we provide a new 
method to prevent the coefficient explosion and we rigor- 
ously assess its complexity with respect to the size of the 
input and the invariants of the field K. 

Categories and Subject Descriptors 

1.1.2 [Algorithms]: Algebraic algorithms — Symbolic and 
Algebraic Manipulation 

General Terms 

Theory, Algorithms 

Keywords 

Hermite Normal Form, Complexity, Modules, Number the- 
ory 

1. INTRODUCTION 

The construction of a good basis of an Ox-module, where A 
is a number field and Ox its ring of integers, has recently re- 
ceived a growing interest from the cryptographic community. 
Indeed, Ox- modules occur in lattice-based cryptography [8l 
IH1 11UI 1131 114] , where cryptosystems rely on the difficulty to 
find a short element of a module, or solving the closest vec- 
tor problem. The computation of a good basis is crucial for 
solving these problems, and most of the algorithms for com- 
puting a reduced basis of a Z-lattice have an equivalent for 
Ox-modules. However, applying the available tools over Z 
to Ox-modules would result in the loss of of their structure. 

The computation of a Hermite Normal Form (HNF)-basis 
was generalized to Ox-modules by Cohen [2j Chap. 1]. His 
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algorithm returns a basis that enjoys similar properties as 
the HNF of a Z-module. A modular version of this algo- 
rithm is conjectured to run in polynomial time, although 
this statement is not proven (see last remark of [2] 1.6.1]). 
In addition, Fieker and Stehle's recent algorithm for comput- 
ing a sized-reduced basis relies on the conjectured possibility 
to compute an HNF-basis for an Ox-module in polynomial 
time [5j Th. 1]. This allows a polynomial time equivalent of 
the LLL algorithm preserving the structure of Ox-module. 
In this paper, we adress the problem of the polynomiality 
of the computation of an HNF basis for an Ox-module by 
presenting a modified version of Cohen's algorithm 2 , Chap. 
1] . We thus assure the validity of the LLL algorithm for Ox- 
modules of Fieker and Stehle [5] which has applications in 
lattice-based cryptography, as well as in representations of 
matrix groups [1] and in automorphism algebras of Abelian 
varieties. In addition, our HNF algorithm allows to com- 
pute a basis for the intersection of Ox modules, which has 
applications in list decoding codes based on number fields 
(see [6] for their description). 

Our contribution. We present in this paper the first poly- 
nomial time algorithm for computing an HNF basis of an 
Ox-module based on the modular approach of Cohen [2| 
Chap. 1]. We rigorously adress its correctness and derive 
bounds on its run time with respect to the size of the input, 
the dimension of the module and the invariants of the field. 

2. GENERALITIES ON NUMBER FIELDS 

Let A be a number field of degree d. It has ri < d real em- 
beddings (<Ti)i< ri and 2r2 complex embeddings (<7i) ri <j<2r 2 
(coming as T2 pairs of conjugates). The field A is isomor- 
phic to Ox <S> Q where Ox denotes the ring of integers of A. 
We can embed A in 

A K := A ® R ~ R ri x C 2 , 

and extend the oVs to Ar. Let T2 be the Hermitian form 
on Km. defined by 

T 2 (x,x') := <Ti(x)ai(x'), 

i 

and let ||a;|| := ^/T^{x, x) be the corresponding Z/2-norm. 
Let (ctj)i<d such that Ox = ©iZ«i, then the discriminant 
of A is given by Ax = det 2 (T2(Qi, (Xj)). The norm of an 
element a; £ A is defined by J\f(x) = Yli I^MI- 



To represent Ox-modules, we rely on a generalization of the 



notion of ideal, namely the fractional ideals of Ox- They 
can be defined as finitely generated Z-modules of K. When 
a fractional ideal is contained in Ok, we refer to it as an 
integral ideal, which is in fact an ideal of Ok- Otherwise, 
for every fractional ideal 7 of Ok, there exists r G Z>o such 
that rl is integral. The sum and product of two fractional 
ideals of Ok is given by 



I J = {Mi H H kji '£N,ii,- 

I + J = {i + j \ i£ I,j £ J}. 



■ u e /, ji,- • • 31 e ^} 



The fractional ideals of Ok are invertible, that is for ev- 
ery fractional ideal 7, there exists 7 _1 := {x G K \ xl C 



such that 77 



Ox. The set of fractional ide- 



als is equipped with a norm function defined by A/"(7) = 
det(M 7 )/ det(Ox) where the rows of M 1 are a Z-basis of 7. 
The norm of ideals is multiplicative, and in the case of an 
integral ideal, we have A/"(7) = \Ok/I\- Also note that the 
norm of x G K is precisely the norm of the principal ideal 
(x) — xOk- Algorithms for ideal arithmetic in polynomial 
time are described in Section [S] 

3. THE HNF 

Let M C K l be a finitely generated Ox-module. As in [2j 
Chap. 1], we say that [(a;), (cu)]i<„, where a; G K and cu is 
a fractional ideal, is a pseudo-basis for M if 

A7 = didi © • • • © o„a n . 

Note that a pseudo-basis is not unique, and the main re- 
sult of [5] is precisely to compute a pseudo-basis of short 
elements. If the sum is not direct, we call [(at), (di)]i<n a 
pseudo-generating set for M. Once a pseudo-generating set 
[(<tj), (fli)]i< n for M is known, we can associate a pseudo- 
matrix .4 = (A, 7) to M, where A G K nxl and 7 = (cij)j< n 
is a list of n fractional ideals such that 

M = 01A1 H h a n A n , 

where At G K is the i-th row of A. We can construct 
a pseudo-basis from a pseudo-generating set by using the 
Hermite normal form (HNF) over Dedekind domains (see 
Th. 1.4.6]). Note that this canonical form is also refered 
to as the pseudo-HNF in [2, 1.4]. In this paper we simply 
call it HNF, but we implicitly refer to the standard HNF 
over Z when dealing with an integer matrix. Assume A is of 
rank I (in particular n > I), then there exists annxn matrix 
U — (uij) and n non-zero ideals bi, •■ • ,b n satisfying 



1. Vi,j,iH,j G b t 1 a j . 

2. a — det(i/)b for o = Yli ca and b = Yli bi. 

3. The matrix UA is of the form 



/ 1 



UA 











\ 



(0) 



M = bicji © ■ 
rows of UA. 



biuji where u\, 



■ UJi 



are the first I 



In general, the algorithm of [2] for computing the HNF of 
a pseudo-matrix takes exponential time, but as in the in- 
teger case, there exists a modular one which is polynomial 
in the dimensions of A, the degree of K, and the bit size 
of the modulus. Note that in the case of a pseudo matrix 
representing an Ox-module M, the modulus is an integral 
multiple of the determinantal ideal g(A7), which is generated 
by all the ideals of the form 

det (A) • Oil • • ■ a n > 

>ij 

where detij,... (A) is the determinant of the I x I minor con- 
sisting of the last I columns of rows of indices i\ , • • • , ij . The 
determinantal ideal is a rather involved structure, except in 
the case I = n. In applications, the modulus is frequently 
known. In the rest of the paper, we restrict ourselves to the 
case of an n x n matrix A of rank n. One can immediatly 
derive polynonmial time algorithms for the rectangular case, 
and for the case of a singular matrix A. 

4. NOTION OF SIZE 

To ensure that our algorithm for computing an HNF basis 
of an Ox-module runs in polynomial time, we need a no- 
tion of size that bounds the bit size required to represent 
ideals and field elements. An ideal 7 C Ox is given by the 
matrix M 1 G Z dxd of its basis expressed in an integral ba- 
sis uii , ■ ■ ■ ,u)d of Ox ■ If the matrix is in Hermite Normal 
Form, the size required to store it is therefore bounded by 
d 2 maxij- (log(|M^j|)), where log(a;) is the base 2 logarithm 
of x. In the meantime, every coefficient of M 1 is bounded 
by | det(A7 J )| = JV(I) (see [3 Prop. 4.7.4]). Thus, we define 
the size of an ideal as 

S(I) := d 2 log(AA(7)). 

If a — (l/fc)7 is a fractional ideal of K, where 7 C Ox and 
k G Z>o is minimal, then the natural generalization of the 
notion of size is 

S(a) := log(fc) + 5(7), 

where log(fc) is the base 2 logarithm of fc. We also define 
the size of elements of K. If x G Ok can be written as 
x = Yli<d x i L °i, where x% G Z, then we define its size by 

S(x) := dlog(max \xt\). 

i 

It can be generalized to elements y G K by writing y = x/k 
where x G Ox and k is a minimal positive integer, and by 
setting 

S(y) := Iog(*) + S(x). 

In the litterature, the size of elements of K is often expressed 
with II a; II. These two notions are in fact related. 



Proposition 1. Let x G Ox, the size of x and its T2- 
norm satisfy 



iog(IMI)<o 



d 



■ d + log I Aj 



S(x) < 0(d(d + log (\\x\\))). 



Proof. In appendix □ 



So, for all x G O k , S(x) = O (log and log(||a;||) = 

0(S(x)), where the constants are polynomial in d and log j Ak\ 



Corollary 1. Let x, y £ Ok, their size satisfies 
S(xy) < 0(d 3 + dlog|A A -| +S(x) + S(y)) . 

5. COST MODEL 

We assume that the module M satifies M C O k and that 
Ok is given by an LLL-reduced integral basis wi, • • ■ , 
such that u)\ = 1. The computation of such a basis can be 
done by using [TJ Cor. 3] to produce a good integral basis 
for Ok and then reducing it with the LLL algorithm [7]. 
In this section, we evaluate the complexity of the basic op- 
erations performed during our algorithm. We rely on stan- 
dard number theoretic algorithms. We multiply two integers 
of bit size h in time M(h) < O (h \og(h) log(log(/i))) using 
Schonhage-Strassen algorithm, while the addition of such in- 
tegers is in O(h), their division has complexity bounded by 
0(M{h)), and the Euclidiean algorihm that provides their 
CCD has complexity 0{\og{h)M{h)) (see [TTJ)- In the fol- 
lowing, we also refer to two standard linear algebra algo- 
rithms, namely the HNF computation over the integers due 
to Storjohann [TS] in complexity (nror"' - l \og\A\) 1+ ° m and 
Dixon's p-adic algorithm for solving linear systems in 

(n^logjAI) 1 ^ 1 ), 

where A G Z mx " has rank r and has its entries bounded by 
\A\, and where 3 > uj > 2 is the exponent of the complexity 
of matrix multiplication. We need to perform additions, 
multiplications and inversions of elements of K, as well as 
of fractional ideals. There is no reference on the complexity 
of these operations, although many implementations can be 
found. We adress this problem in the rest of this section. 
We use O to denote the complexity were all the logarithmic 
factors are omitted. 

Elements x of K are represented as quotients of an element 
of Ok and a positive denominator. We add them naively 
while their multiplication is done by using a precomputed 
table of the ujiujj for i,j < d. 

Proposition 2. Let a, (3 G K such that S(a), S(P) < B, 
then the following holds: 



Ideals of Ok are given by their HNF representation with 
respect to the integral basis cji,-- ■ ,0Jd of Ok- It consists 
of the HNF of the matrix representing the d generators of 
their Z basis as rows. Operations on this matrix yield the 
addition, multiplication and inverse of an integral ideal. The 
corresponding operations on fractional ideals are trivialy de- 
duced by taking care of the denominator. 

Proposition 3. Let a and b be fractional ideals of K 
such that S(a),S(b) < B, then the following holds: 

1. a+b can be computed in 0(d lJ+ B), 

2. ab can be computed in (5(d 3 (d 4 + d 2 log \A K \ + B)), 

3. l/o can be computed in 6 (d 2 "(d 4 + d 2 log |Ajc| + B)) . 

Proof. The addition of integral ideals a and b given by 
their HNF matrix A and B is given by the HNF of (-§) • To 
multiply them, one has to compute the HNF of the matrix 
whose d 2 rows represent 7j<5j where ( r yi)i<d is an integral 
basis for o and (5i)i<d is an integral basis for b. Finally, 
following the approach of [3j 4.8.4], inverting a boils down 
to solving ad 2 x (d + d 2 ) linear system. More details are 
given in appendix. □ 

Note that the reason why the dependency in B in the com- 
plexity of the addition of fractional ideals is slightly more 
than in the complexity of the multiplication is the way we 
deal with the denominators. In the case of integral ideals, 
the addition would be in C^d" -1 B). The last operation 
that needs to be performed during our HNF algorithm is 
the multiplication between an element of K and a fractional 
ideal. 



Proposition 4. Let a G K, a fractional ideal a C K and 
B\, B2 such that S(a) < B\ and S(a) < B2, then aa can be 
computed in expected time bounded by 

6 (<r (d A + dlog 1 A a- 1 + ^ + B 2 ) ] . 



Proof. If 71, ■ • ■ , 7^ is an integral basis for a C Ok, then 
(a7i)i<d is one for (q)o. The HNF of the matrix representing 
these elements leads to the desired result. More details are 
given in appendix. □ 



1. a + f3 can be computed in O(dB) 

2. a/3 can be computed in O (d 2 (B + d 3 + d log \Ak |)) 

3. — can be computed in 6 (d" _1 (B + d 3 + dlog \A K \)), 

Proof. Adding a and ft is straightforward. Multiplying 
them is done by storing a precomputed multiplication table 
for the uiiUij. Finally, inverting a boils down to solving a 
linear system in the coefficients of — . More details are given 
in appendix. □ 



6. THE NORMALIZATION 

The normalization is the key difference between our ap- 
proach and the one of Cohen .2:, 1.5]. It is the strategy 
that prevents the coefficient swell by calculating a pseudo- 
basis for which the ideals are integral with size bounded by 
the field's invariants. Given a one-dimensional Ox-modulc 
a A C O k where a is a fractional ideal of K, and A G K n , we 
find b G K such that the size taken to represent our mod- 
ule as (ba)(A/b) is reasonably bounded. Indeed, any non 
trivial module can be represented by elements of arbitrary 
large size, which would cause a significant slow-down in our 
algorithm. 



The first step to our normalization is to make sure that a 
is integral. This allows us to bound the denominator of the 
coefficients of the matrix when manipulating its rows during 
the HNF algorithm. If k £ Z is the denominator of a, then 
replacing a by ka and A by A/k increases the size needed to 
represent our module via the growth of all the denominators 
of the coefficients of A £ K n . Thus, after this operation, the 
size of each coefficient a,i of A is bounded by S(a,i) + S(a). 

We can now assume that our one-dimensional module is of 
the form aA where a C Ok and A £ K n at the price of a 
slight growth of its size. The next step of normalization is 
to express our module as a' A' where A' £ K n and a' C Ok 
such that TV(a') only depends on invariants of the field. To 
do this, we invert a and write it as 

where k £ Z>o and b C Ok- As Af(a) £ a, we have 
A/"(a)o _1 C Ok and thus k < Af(a). Therefore, 

Then we use the LLL algorithm to find an element a g b 
such that 



|q|| < d 1/2 2 d/2 \A K \ 1/2d Af(b) 



l/d 



Our reduced ideal is 



a' := (|) o C a -1 a = O k . 



The integrality of o' comes from the definition of b 1 and 
the fact that a £ b. From the arithmetic-geometric mean, 
we know that J\f(a) < ^jjj , therefore 

AT (a) <2 d2/2 ^A^[AA(b), 

and the norm of the reduced ideal can be bounded byjV(a') < 

2 d2/2 y/\A K \. On the other hand, we set A' := (k/a)A, 
which induces a growth of the coefficients a; of A. Indeed, 
each On is multiplied by (k/a). 



Proposition 5. The size of the normalized module a! A' 
of aA C K n satisfies 

5(a-) < 6 (d :i + dlog | A* | + 5(a) + S( ai )) 
S(a') <d(d 3 + d\og\A K \) 

Proof. From Corollary [T] we know that 



s [ ^ j < o fd a + dlog |A K | + ^ + s( ai ) + s(± 



In addition, if — = ^ where x £ Ok and k' £ Z>o, then 

s(^\ <6(io g (k') + d(d + iogW)). 

On the one hand, we have 

k' < AT(a) < 2 d2/2 ^\AK~\^(a) d -\ 



and on the other hand, we need to bound ||a;||. We notice 
that since jV(a) £ Q, Vj < d, J\f(a) = a/3 = en; (a/3). We 
also know that Vj, |<Tj(a)| < ||a||. Therefore, 



Vj < d, \aj(x)\ 



Wj{a)\ 



Therefore ||a;|| < v / d||a|| d 1 , and thus 



S - < O (d 3 + dlog \A K \ + 5(a)) 



□ 



Our normalization, summarized in Algorithm [T] was per- 
formed at the price of a reasonable growth in the size of the 
object we manipulate. Let us now evaluate its complexity. 

Algorithm 1 Normalization of a one-dimensional module 
Input: A £ K n , fractional ideal a of K. 
Output: A' £ K n , a C Ok such that Af(a') < 
2 d2/2 ^A^and aA = a'A'. 
1: a •<— koa, A •<— A/ko where ko is the denominator of a. 
b <— fca -1 where k is the denominator of a -1 . 



Let a be the first element of an LLL-reduced basis of b. 



4: a'<-(f) a, A'<-(£)A. 
5: return a , A . 



Proposition 6. Let Bi,B2 such that 5(a) < B\ and 
Vi, 5(a») < -B2, i/ien t/ie complexity of Algonthm\7\is bounded 
by 

6 (nd 2 (d 3 + B!+B 2 + dlog |Ax|)) • 

Proof. The inversion of a is performed in time 

d(d 2ul {d 4 + d 2 log |A A - +Bi)) , 

by using Proposition^ Then, the LLL-reduction of the basis 
of b is done by the L 2 algorithm of Stehle and Nguyen [12] 
in expected time bounded by 



O 



d 3 (d + ^) ^d) < 6 (d 2 S(a)(d 2 + 5(a))) 



Then, computing (a/k)a is the multiplication of the ideal a 
by the element a/k which satisfies 

S{a/k) <d(d 2 + log | A a- + 5(a) /d) . 

This takes 6 (d" _1 (5(a) + d 4 + d 2 log |A A -|))- Finally, com- 
puting k(l/a)A consists of inverting a with 5(a) < 0(d + 
log | A a- + Bi/d), which takes 

d(d"-\d 3 + Bi/d + dlog |A K |)) , 



and performing n + 1 multiplications between elements of 
size bounded by O (d 3 + Bi + B2 + d log | A k \ ) , which is done 
in time 

6 (nd 2 (d 3 + B x + Bz + dlog |Ak|)) • 

The result follows from the combination of the above ex- 
pected times and from the fact that 2 < uj < 3. □ 



7. REDUCTION MODULO A FRACTIONAL 
IDEAL 

To achieve a polynomial complexity for our HNF algorithm, 
we reduce some elements of K modulo ideals whose norm 
can be reasonably bounded. We show in this section how to 
bound the norm of a reduced element with respect to the 
norm of the ideal and invariants of K. Let o be a fractional 
ideal of K, and x G K. Our goal is to find x G K such that 
||S|| is bounded, and that x — x G o. 

The reduction algorithm consists of finding an LLL-reduced 
basis n, • • ■ , Td of o and to decompose 



Then, we define 



2_j X i r i- 



:=x-^2[xi]i 



Proposition 7. Let x G K and a be a fractional ideal of 
K , then Algorithm^ returns x such that x — x G o and 

\\x\\<d i/2 2 d/2 M{a) 1/d ^\K^\. 



Proof. In appendix □ 



Algorithm 2 Reduction modulo a fractional ideal 
Input: a £ K, fractional ideal a of K. 
Output: a £ K such that a — a G o and || 
d ^2 d / 2 N{a) 1,d ^\K^\. 

if ||a|| < d 3 ^2 d ^/V(a) 1/d - s /\A K ~\ or a = 1 then 

return a. 
else 



Compute an LLL-reduced basis (ri)i<a of a. 
Decompose a = J2i<d XiTi - 
ai- a-Ei< d biln- 
return a. 
end if 



Proposition 8. Let B\,B2 such that S(a) < Bi and 
S(a) < B2, then the complexity of Algorithm^ is bounded 
by 

6 (Bi(d 3 + B 1 ) + d u '- 1 B2 + d" +2 ) 



Proof. To compute the LLL-reduced basis of 0, we LLL- 
reduce the integral ideal ka where k G Z>o is the denomi- 
nator of a. Then, we express x with respect to the basis of 
ka where x G Ok satifies a — x/a for a G Z>o. Then we 
divide by the respective denominator at the extra cost of d 
multiplications. 

Using the L 2 algorithm of Stehle and Nguyen [12] yields the 
reduced basis of ka in expected time bounded by 



O tf [d + 



S(a) \ S(a) 
d 2 ) d? 



Then, expressing x with respect to the reduced basis of ka 
costs 

O ( d" f M + dlog IAkI +d 2 + ^$ 



d? 

Finally, the subtraction and the division by the denomina- 
tors are in 



O d 



,S(a) 



□ 



8. MODULAR HNF ALGORITHM 

Let M C O k be an Ox-niodule. We use a variant of the 
modular version of [2[ Alg. 1.4.7] which ensures that the cur- 
rent pseudo-basis [aj,j4j]j< n of the module satisfies C Ok 
at every step of the algorithm. This extra feature allows 
us to bound the denominator of coefficients of the matrix 
whose rows we manipulate. Algorithm[3]computes the HNF 
modulo the determinantal ideal g, and Algorithm[4]recovers 
an actual HNF for M. In this section, we discuss the differ- 
ences between Algorithms [3] and [3] and their equivalent in [5| 
1.4]. 

After the original normalization, all the ideals are integral. 
As M C O k , we immediatly deduce that the ideal created 
at Step 6 of Algorithm [3] is integral as well. In addition, 
from the definition of the inverse of an ideal we also have 
that 



bi,ibibi 



ibi 



C Ok, 



which allows us to conclude that the update of (bi, bj) per- 
formed at Step 9 of Algorithm [3J preserves the fact that our 
ideals are integral. 

Algorithm 3 HNF of a full-rank square pseudo-matrix 
modulo q 

Input: A G K nxn , ai, • • • , On , g. 

Output: pseudo-HNF B, 61, ■ • ■ ,b n modulo g. 

1: 
2 
3 
4 
5 
6 
7 



8 
9 
10 
11 

12 
13 
14 
15 
16 



B «- A, bi «- a*, j «- n. 
Normalize [(Bi), (bj)]i<n with Algorithm]]] 
while j > 1 do 
i <- j - 1. 
while i > 1 do 

bijbi + bj.jbj 

Find u G bid -1 and v G bjO" 1 such that biju + 
b jtj v = 1 with [2] Th. 1.3.3]. 
(Bi, Bj) 4- (bjjBi - b i:j Bj,uBi + vBj). 
(bi, bj) <r- (6ijbi6j,jbj0 _1 ,3). 
Normalize bi,Bi with Algorithm [1] 
Reduce Bi modulo gb.f 1 and Bj modulo gbj 1 with 
Algorithm H 

1 «— i — 1. 
end while 

3 4—j— I- 
end while 
return (bi)i< n , -B. 



d) <0(5(a)(d 3 + S(o))) 



The normalization and reduction at Step 10-11 allow us to 
keep the size of the Bi and of the bi reasonably bounded by 
invariants of K and the dimension of the module. By doing 
so, we give away some information about the module M. 



However, algorithm [4] allows us to recover M, as we state in 
Proposition [9] 



Proposition 9. The Ox-module defined by the pseudo- 
[(Wi), (Cj)] obtained by applying Algorithm to the 
HNF of M modulo g(M ) satisfies 

dWi + --- + c n W n = M. 



Proof. The proof of this statement essentially follows 
its equivalent for matrices over the integers. It consists of 
showing that W := £V d and M := J]\ OaAi have the same 
determinantal ideal and that W C A, and then showing that 
this implies that W = M . A more complete proof is given 
in appendix. □ 



Algorithm 4 Eucledian reconstruction of the HNF 



Input: B e K nxn , bi, ■ ■ 

ulo g for M C O k . 
Output: An HNF W,ci, 
1 

2 
3 
4 



, b n output of Algorithm [3] mod- 
■ , c n for M. 



j «- n , Qj «- fl. 
while j > 1 do 
f • I 1 ' P.- 

Find u G bjO -1 and u € gc such that u + v 



Wj <— uBj mod QCj 1 . 

end while 
return W, (Cj)i< w . 



9. COMPLEXITY OF THE MODULAR HNF 

Let us assume that we are able to compute the determinan- 
tal ideal g of our module M in polynomial time with respect 
to the bit size of the invariants of the field and of S(g). We 
discuss the computation of g in Section [TOl In this section, 
we show that Algorithm [3] and Algorithm [4] are polynomial 
wih respect to the same parameters. This result is analo- 
gous to the case of integers matrices. Indeed, the only thing 
we need to verify is that the size of the elements remains 
reasonably bounded during the algorithm. 

In Algorithm [3] the coefficient explosion is prevented by the 
modular reduction of Step 11. It ensures that 



Vii,l2 < j, \\b i ,, i A\<d 3/2 2 d/2 M{Qb^f/ d s /\KK\. 

This is not enough to prevent the explosion since bi 1 t i 2 might 
not be integral. Therefore, there is a minimal k G Z>o 
such that kbi lt i 2 G Ok, which we need to bound to en- 
sure that S(bi lt i 2 ) remains bounded as well. We know that 
hjbi C Ok, and that bi is integral. Thus, Af(k) \ A/'(bi 1 ), 
which in turns implies that k < A/'(bi 1 ). As on the other 
hand, the normalization of Step 10 ensures that A/'(bi 1 ) < 
2 d2/2 x /|A A '|, we conclude that after Step 11, 



S(b iui2 )<0 d 2 +dlog|Ax| + 



d 2 



In Algorithm^ we last manipulate Bj and bj when the index 
j is the pivot. In that case, we cannot use the normalization 



to bound the size since we require that bjj = 1. However 
we reduce Bj modulo gbj, which means that 

Vi < j, WhA < d 3/2 2 d/2 U( S bT 1 ) 1/d ^\A K ~\. 

In addition, the arithmetic-geometric tells us that \\bjj\\ > 
^fdN(bi,i) 1 l d , which in turn implies that 

Vi < j, MMi) < d d 2 d2/2 M( S ) d \A K \ d/2 . (1) 
As we know that 

Af(b it jbi + b 3 ,jbj) < max(Af(bi,jbi),N'(bj l jb})) , 
we therefore know that after Step 9 

Af(bj) < d d 2 d2/2 U{g) d \A K \ d/2 , 

which allows us to bound the size of the denominators in the 
j-th row the same way we did for the rows of index i\ < j: 

Vi < j, S(b id ) < 6 (d 2 + dlog |Ajc| + ^f) ■ 



Proposition 10. The complexity of Algorithm^ is in 
6 (n A d 2 (d 3 + d 2 log \A K \ + S{g)Y 



Proof. Steps 6 to 11 of Algorithm [3] are repeated 0(n 2 ) 
times. Let us analyze their complexity. First, at Step 6 we 
have 

S(b l , J )<o(Wlog|AK| + ^) (2) 

S(bi) < d(d 3 + log|A A -|) (3) 
so from Proposition [4] computing bijbi takes 

6 (d"- 2 {d 5 + d 3 log |Ax| + S(g))) . 
Then, from Proposition and |TJ), 

S(bijbi) <6(d 4 + dS(g) + d 3 log |A A -|) , 
and computing costs 

6(d" +2 (d 3 +d 2 log |Ajc|+ 5(fl))). 
As S(X>) < S(bijbi), computing 0~ takes 

6 (d 2u+1 (d 3 + d 2 log |Aa-| + S*( ))) . 

From [3l 4.8.4], this is done by solving a linear system on a 
matrix D satisfying 



log < O d 2 +log|A K | + 



S(B) \ 
d 2 J ' 

and the coefficients of the HNF matrix of are those of a ma- 
trix M satisfying log|det(M)| < 0(d 2 log|D|). Therefore, 
we have 

S^CT 1 ) < d 2 log I det(Af)| < 6 (d 2 (d 4 + d 2 log \A K \ + S(s))) 

As S(bi),S(bj) < 0(d 3 + log|Ajc|), computing biO -1 and 
bjO -1 takes 

6(d 5 (d 4 + d 2 log | Ax |+5(0))). 

Then, from fj] Th. 1.3.3], computing u and v is done by 
finding u £ bijbiX)~ and v' £ bjjbj~0~ such that u' + v' = 



1 and returning u := u' /bi : j and v := v'/bjj. Let /; := 
bijbiTt" 1 C Ok- Then, from [2] Prop. 1.3.1] computing 
u' , v' is done at the cost of an HNF computation of a 2d x d 
matrix whose entries have their size bounded by log (TV (/,•)). 
This cost is in 

O(d"(d 3 + d 2 logjA x |+S( ))). 

In addition, S{u'),S(v') < 6{d A + d 3 log|Ax| + dS(g)). 
Then, by using the same methdods as in the proof of Propo- 

sitionO we know that 5" ( < 6 [d 3 + ^ + d 2 log |Ak| 

while Proposition [2] ensures us that inverting bij is done in 

ojV" 1 ^ 3 + dlog|AK| + ^)V 

Then, calculating u' /bi j and v' /bj j is done in time bounded 
by 

d(d 2 (d 4 + d 3 log|A| +dS(s))) , 

and by Corollary [1] we know that 

S(u), S(v) <6(d i + d 3 log \A K \+ dS(g)) . 

Then, from Proposition [2] and ((2)1 , the expected time for 
Step 8 is bounded by 

6 (nd 2 (d 4 + d 3 log |A K | + dS(s))) . 

In addition, after Step 8, we have 

S(bi,j) <d(d 4 + d 3 log | A a- | + dS(g)) . 

Then, from Proposition [3] and the bounds on S(bijbi) and 
S(0 _1 ) computed above, Step 9 takes 

6(d 5 (d 4 + d 2 log|Ax| +5( ))) . 

By using Proposition [6] we bound the time taken by Step 10 
by 

6 (nd 3 (d 3 + d 2 log | A* | + S(g))) , 

Finally, from the bound on S(bi,j) after Step 8 and Propo- 
sition [8] Step 11 takes 

6 (nd 2 (d 3 + d 2 log | A a- + 5(g)) 2 ) . 

□ 

The Euclidian reconstruction of Algorithm [4] can be seen as 
another pivot operation between the two one-dimensional 
Ox-modules bjBj and g^e.,- for each j < n. We can therefore 
bound the entries of W by the same method as for Step 6-11 
of Algorithm O we the extra observation 

AA(£b)<AA(0). 

Therefore, we showed that we could bound the size of the ob- 
jects that are manipulated throughout the algorithm by val- 
ues that are polynomial in terms of n, d, S(g) and log(|AA|), 
and that the complexity of the HNF algorithm was polyno- 
mial in these parameters. 

10. COMPUTING THE MODULUS 

Let us assume that A £ 0^ xn . If it is not the case, then 
we need to multiply by the common denominator k of the 
entries of A and return det(kA)/k n . In this section, we de- 
scribe how to compute g in polynomial time with respect 



to n, d, log j Ax | and the size of the entries of A. The idea 
is to compute det(A) mod (p) for a sufficiently large prime 
number p. In practice, one might prefer to compute det(^4) 
mod (pi) for several prime numbers pi, • • • ,pi and recom- 
bine the values via the Chinese remainder theorem, but for 
the sake of simplicity, we only describe that procedure for a 
single prime. Once det(yl) is computed in polynomial time, 
we return 

g = det(y4) • m ■ • ■ a„. 

The first step consists of evaluating how large p should be 
to ensure that we recover det(^4) uniquely. As pwi, ■ • ■ ,pud 
is an integral basis for (p), it suffices that p > max; \<n\ 
where det(^4) = ^VaiWi. As maxi |oi| < 2 3d/2 || det(A)||, 
it suffices to bound || det(A) || . We first compute an upper 
bound on |cr(det(A)) | for the d complex embeddings a of 
K via Hadamard's inequality and then we deduce a bound 
on || det(j4)||. Let a : K — > C, we know from Hadamard's 
inequality that 

\a{Aet{A))\ < B n n n/2 , 

where B is a bound on a(aij). Such a bound can be derived 
from the size of the coefficient of A by using 

Vx, Vz |<Ti(a:)| < fmaxla^M d 3/2 2 d2 /2 ^\A K \. 

This way, we see that B := 2 m ^-^ s{a ^ ] ) d 3/2 2 d * /2 <^Kk~\ 
suffices. Then, our bound on || det(j4)|| is simply 

|| det(yl)|| < ^2 m ^-^ s{a ^ ) )d 3/2 2 d2/2 ^\K K ~\. 



Algorithm 5 Computation of det(A) 

Input: A G B > max,,, (S(a;,j)) 

Output: det(A). 

1: Let p > ^/n2 B d 3/2 2 d2/2 v / \A K \ be a prime. 

2: for p t | (p) do 

3: Compute det(A) mod pi. 

4: end for 

5: Recover det(A) mod (p) via successive applications of 

Algorithm [6] 
6: return det(^4). 



To reconstruct det(A) mod (p) from det(A) mod for i < 
d, let us consider the simpler case of the reconstruction mod- 
ulo two coprime ideals a, b of Ok- Let M a and Mb be the 
matrices representing the Z basis of o and b in the integral 
basis (u)i)i<d of Ok, and let x,y,w G Ok such that 

x — y mod a 
x — w mod b. 

We wish to compute z G Ok such that x = z mod ab. As 
in [2l Prop. 1.3.1], we can derive a G a, b G b such that 

a + b — 1 from the HNF of (fif") ■ Then, a solution to our 

CRT recomposition is given by 

2 := wa + yb. 



Algorithm 6 CRT recomposition 

Input: a, b C Oa, x, y, w £ Ok such that x = y mod a and 

x = w mod b. 
Output: z 6 Ok such that a; = 2 mod ob. 

1: Compute o £ 0, b £ b such that a + b = 1. 

2: return z. 



Proposition 11. Let B > maxij (S(aij)), then the com- 
plexity of Algorithm^ is bounded by 

6 (n 3 d 7 (d 2 + B + log|AK|) 2 ) • 

Proof. For each pi, the computation of det(A) mod pi 
consists of n 3 multiplications of reduced elements modulo pi 
followed by a reduction modulo pi. Given our choice of p, 
we have 

IogJV(pi) < 6 (d(B + d 2 + log I A A -D) . 

Therefore, the size of the elements x € Ok involved in these 
multiplications satisfies 

S(x) < 6 (d 2 (d 2 + log I A a- I + B)) . 

The cost of the multiplications is in 

6(d 4 (d 2 + B + log|AK|)), 

while the mdular reductions cost 

0(d 6 (d 2 + B + log|AA|) 2 ). 

The time to reconstruct det(A) mod (p) corresponds to the 
computation of n 2 Hermite forms of d 2 x d integer matrices 
M such that log \M\ < log(A/"(pi)). This takes 

0(n 2 ^ +3 (d 2 + B + log|AA|) 2 ). 

□ 

11. CONCLUSION 

We described a polynomial time algorithm for computing 
the HNF basis of an OA-module. Our strategy relies on the 
one of Cohen [2] 1.4] who had conjectured that his modular 
algorithm was polynomial. The crucial difference between 
our algorithm and the one of [2l 1.4] is the normalization 
which allows us to prove the complexity to be polynomial. 
Without it, we cannot bound the denominator of the coef- 
ficients of the matrix when we recombine rows, even if they 
are reduced modulo the determinantal ideal. We provided a 
rigorous proof of the complexity of our method with respect 
to the dimension of the module, the size of the input and 
the invariants of the field. Our algorithm is the first polyno- 
mial time method for computing the HNF of an OA-module. 
This result is significant since other applications rely on the 
possibility of computing the HNF of an OA-module in poly- 
nomial time. In particular, Fieker and Stehle [5] made this 
assumption in the analysis of their LLL algorithms for OA- 
modules. Our result has natural ramifications in cryptogra- 
phy through the LLL algorithm of Fieker and Stehle [5] , but 
it can also be used for list-decoding number field codes. 
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APPENDIX 

A. DETAILED PROOFS OF STATEMENTS 
A.l notion of size 

Proposition 1. Let x e Ok, the size of x and its T2- 
norm satisfy 

\ 0g {\\ X \\)<0[^+d 2 +\0g\^ K 
S (X) <0(d(d + log (\\x\\))). 

Proof. Let us show how S(x) and log(||a;||) are related. 
First, we can assume Lem. 1] that we choose an LLL- 
reduced integral basis wi, • • ■ , U)d of Ok satisfying 

max||wi|| < Vd2 d //2 \/| Ajc|. 



Then, we have 

Vi < d, \x\i — \o~i(x)\ 



< d |max \ xi\^ \\bJj\\ 

< (max\ Xi \) d 3/2 2 d2/2 v / ]A K ~\. 

Therefore, log (||ac||) < S(x) + dlog (d 3/2 2 d2 12 ^/\Kk~\} ■ On 
the other hand, we know from [5] Lem. 2] that for our choice 
of an integral basis of Ok , we have 



Vx 6 Ok, S(x) < dlog ^2 3d/2 ||;E|| 



□ 



A.2 Cost model 

Proposition 2. Let a,fi e K such that S(a), S(P) < B, 
then the following holds: 

1. a + f3 can be computed in O(dB) 

2. aft can be computed in O (d 2 (B + d 3 + dlog | Ax|)) 

3. — can be computed in 6 (d LU ~ 1 (B + d 3 +dlog|Ax|)), 

where O denotes the complexity whithout the logarithmic fac- 
tors. 

Proof. Let x, y £ Ok and a, b £ Z>o such that a — x/a 
and /3 = y/b. The first step of computing a + /3 consists of 
reducing them to the same denominator. This takes a time 
bounded by O(dB). Then the addition of the numerators 
takes O(dB), as well as and the simplification by the GCD 
of the denominator and the d coefficients. 

For i,j,k < d, let a!Q be such that ujtujj = J2k<d a i'!j UJ k- 

From 5} Lem. 1], we know that Vi, \\u)i\\ < \fd2 d ' ' 12 <J\Kk~\, 
and thus 



Vi, j'HwiWjH < < d2 |Ax| 



Therefore, from Proposition!]] we have Vi, j, k, log y\a\ j | ) < 
0(d 2 +log|A K |). Then, if x = J2i< d b ^ and V = Hj<d c i u h 



we first need to compute biCj for every i,j < d, which takes 
time d 2 M{B/d). Then, we compute {biCj)a\j for i, j, k < d, 
which takes 6{d 3 M{2B/d + d 2 + log \A K \). Then for each 
k < d, we compute £\ . biCja[ k ^j , which is in 0(d(B/d + d 2 + 
log|Ax|))- Finally, the multiplication of the denominators 
is in A4(B), and the simplification of the numerator and 
denominator takes 0(dM(B/d + d 2 +log|A#-|)). 

To invert x = ^2 i biUJi, we first define A := (dj $ k)j,k<d by 
dj,k X!i bidjj , and notice that 



Vi, xuji = ^2 bi ^2 a\ 



(fe) 



^2 dj,kUJk- 

k<d 



Inverting x boils down to finding x±, - ■ ■ ,Xd € Q such that 
£\ xXiUJi — 1. It can be achieved by solving 

XA = (1,0,-.- ,0). 

We derive the complexity of this step by noticing that log j A\ < 

2 B/d+d2+3d/2 d\A K \- From Hadamard's inequality, we know 
that the numerator and the denominator of Xi are bounded 
by 

d d/2 \A\ d < 2 d3+3d2 / 2+B d 3d/2 \A K \ d . 
Multiplying all numerators by a where a = x/a costs 

6 (dM(d 3 + B + dlog(|Aif|)) , 

while reducing the axi to the same denominator and simpli- 
fying the expression can be done in 

6 (d{d 3 + B + dlog(|A K |))) • 

As u > 2, the complexity of the inversion is in fact domi- 
nated by the resolution of the linear system. □ 



Proposition 3. Let a and b be fractional ideals of K 
such that S(a),S(b) < B, then the following holds: 

1. a + b can be computed in 0(d UJ+1 B) , 

2. ab can be computed in d(d 3 (d 4 + d 2 log |Ak| + B)), 

3. 1/a can be computed in 6 (d 2tJ (d 4 + d 2 log \A K \ + B)) . 

Proof. Let A,C e Z dxd in HNF form and a,c e Z >0 

such that a = i (j2i<d ZA i) and b = \ (j2i<d ZC<! ) ' where 
Ai denotes the i-th row of A. Adding a and b is done by 
computing the HNF of (f^) and reducing the denominator. 
The complexity is bounded by the one of the HNF which is 
in 0(cT +1 B) since log \cA\, log \aC\ < B + B/d 2 . 

Let 71 , • • • , 7d and 81 , ■ • ■ , 5 d be integral elements such that 



= - (Z71 + • ■ ■ + Z 7d ) 



b = - (Z<5i 



for a,b £ Z>o. We first compute jidj, which takes 
O(d 3 (5(o) + d 4 + d 2 log|A K |)) . 



Their size satisfies Sfrijj) < 6 (d 3 + dlog | A K \ + ^ 

Then, we compute the HNF basis of the Z-module gener- 
ated by the "fiSj, which costs 

O (d"(d 4 + d 2 log] A K \+S(a))) , 

and we finally perform d 2 gcd reduction involving the prod- 
uct of the denominators which is bounded by O(B). 

Finally, we know from [3] 4.8.4] that finding the inverse of 
o consists of calculating a basis of the nullspace of a matrix 
D £ Z {d2+d)xd2 satisfying log | D\ < 0(d 2 +log | A K \ +B/d 2 ), 
and returning the HNF of its left d x d minor U . By using [151 

Prop. 6.6], we find such a nullspace M £ Z dxd satisfying 
\M\ < d{\fd\D\) 2d in expected time bounded by 

6 (d 2+2 " log pi) < 6 (d 2uj (d 4 + d 2 log \A } 



B)) 



The HNF of U has complexity bounded by 0(d" +1 log \M\) < 
6(d 2+ "log|D|). □ 



Proposition 4. Let a £ K, a fractional ideal a C K and 
B\,B2 such that S(a) < B\ and S(a) < Bi, then aa can be 
computed in expected time bounded by 



O d 



d 3 + dlog|A A '! + 

d 



B 2 



Proof. Let x £ Ok and a £ Z>o such that a = x/a and 
let k £ Z>o and 71, ••• ,fd be an HNF basis for a. Then, 
(a?7i)i<d is a Z-basis for (x)a. We perform d multiplications 
xji where <S(7i) < B\jd and S(x) < #2- This costs 

6 (d 3 (?j + B 2 + d 3 + dlog \A K 

Then, from Corollary [T] we know that 

S(x 1% ) < O (d 3 + d\og\A K \ +5(x) + 5(70) • 

Therefore, computing the HNF of the resulting matrix of 
entries bounded by S(xji)/d takes 

diS^d") < 6(d" (d 3 + d\og\A K \ + S{x) + Si^))) . 

Finally, we multiply the denominators and reduce them by 
successive GCD computations in time 0(dS(x~/i)). □ 

A.3 Reduction modulo a fractional ideal 

Proposition 7. Let x e K and a be a fractional ideal of 
K, then Algorithm^ returns x such that x — x £ and 

H_|| < d -i/i 2 d / 2 N{a) 1/d ^/\Air\. 



Proof. The LLL [7] algorithm allows us to compute a 
basis (rj)j<d for I that satisfies 

\\r ] \\<2 d ' 2 ^^dN{I) 1/d ^/\A K ~\. 

The same holds for a fractional ideal a of A" by multiply- 
ing the above relation by the denominator of 0. Then, as 
Y x i\ r i — 1) we see that 

||S?|| < dmax||r,|| < d 3/2 2 d/2 N{a) 1/d \/\Ak~\. 



□ 



A.4 The HNF 

At the end of Algorithm^ we obtain a pseudo-basis [(Bi)i< n , (bi)i<„] 
such that 

Vi < n biBi CM + gei, 

where := (0, 0, • ■ • , 1, 0, ■ ■ ■ , 0) is the i-th vector of the 
canonical basis of K n . However, the determinant of i x i 
minors is preserved modulo q. Let Mi C O k ~ % be the Ok- 
module defined by 

Cll((Zl,n — i, ' ' ' , 0/1,71 ) + h a n (a n , n -i, ■ • ■ ,a n ,u), 

and g(Mi) its determinantal ideal. The operations per- 
formed at Step 6 to 10 in Algorithm [3] preserve jj(Afi) while 
after Step 11, our pseudo-basis [(-Bi)i< n , (bi)»<J on ly de- 
fines a module M' C Q K satisfying 

fl(M/) + B = fi(Mi) + f|. 

This property is the equivalent of the integer case when the 
HNF is taken modulo a multiple D of the determinant of 
the lattice. To recover the ideals u of a pseudo-HNF of M, 
we first notice that 



Vi, fl(M-) + = $(Mi) +g = tn 



+ 

+ Ci' 



b n + 0- Thus, we 



On the other hand, g(Ml) + g — b„- 
have 

Vi, b n -i • • • b n +Q = Cn~i ■ ■ ■ c„, 

which allows us to recursively recover the d from the (bj)j>i 
and 0. Indeed, as in the integer case, it boils down to taking 



To do so, we keep track of 0i := 



+ bi 



n,>, ■ 



throughout Algo- 



rithm [4] that reconstructs the actual pseudo-HNF from its 
modular version given by Algorithm [3] At each step we set 

Ci <- bi + 0i. 

This replacement of the ideals in the pseudo-basis defining 
our module impacts the corresponding vectors in K n as well. 
In particular, we require that the diagonal elements all be 
1. Do ensure thus, we find u £ biC" 1 , v € QiC^ 1 such that 
U + v = 1 which implies that 

d(uBi + vd) C biBi + Qid, 

where the i-th coefficient of uBi + vei £ K n is 1 and the 
coefficient of index j > i in uBi + vei are 0. Then we set 

Wi <- uBi mod QiC^ 1 , 

and observe that J^. dWi C M. These Ox-modules have 
the same determinantal ideal, and as in the integer case, we 
can prove that it is sufficient to ensure that they are equal. 

uBi +vei — Wi + di where the coefficients of di £ (0;/ci) n of 
index j > i are 0. The vector di satisfies udi C gid'i where 
d'i £ Q K with coefficients j > i equal to 0. This allows us to 
state that 

dWi C biBi + Qid + udi C M + QiCi + gid[ C M + QiDi, 

where the coefficients of Di £ O k of index j > i equal 0. 
We now want to prove that dWi CM. To do this, we prove 
that QiDi C M. 



Lemma 1. Let M — ciiAH a n A n e O k , then we have 

&(M)O k C M 

Proof. We can prove by induction that if (bj)] is 

a pseudo-HNF basis of M, then 

Vi, Qi ■ ■ ■ Qiet C M, 

where e; is the i-th vector of the canonical basis of O k - Our 
statement immediatly follows. □ 

We now consider the intersection Ni of our module M C O k 
with O k - Note that with the previous definitions, we have 
in particular M = N t ($ Mi. 

Lemma 2. Let i < n and D £ O k a vector whose entries 
of index j > i are 0. Then we have 

SiD C M. 

Proof. From Lemma [T] we know that giO K C Ni. If 
Di £ O k is the first i coordinates of D, then g;D; C Ni, 
and as the last n — i coordinates of D are 0, we have 

g,DC M. 

□ 

The module generated by the pseudo-basis [(Wj), (a)] com- 
puted by Algorithm 2] is a subset of M. We ensured that 
its determinantal ideal Ci equals the determinantal ideal 
g of M. Let us prove that it is sufficient to ensure that 

ClW! + ■ ■ ■ + C n W n = M. 



In other words, Vc£ 6 d, 3(ci, ■ • • , a) 6 Ci X • • • X Cj such 
that 

4C"4i,"- > w i,i-i)l) = ( X] c i w i^'" i * 10 *,*-! +Ci-i,Cf 
\i<j<» 

In particular, c< = <4, which allows us to state that Vc^ £ Ci, 
3(ci, • • • , Cj_i) 6 Ci x • • • x Ci-i such that 

CiUli,i_l = Ci_l + CiW^j-i 

CiWi,i-2 = c »-2 + Ci_lWi_l,i_2 + C i w' ii _ 2 



CiWi.l = Cl H + Ci-i^i-i,! + CjW^i. 

This shows that 

CiWi C ciWi + ■ • ■ + Ci-iWi-i + CiW/, 

and since we have Vj < i, c^Wi C X*j<! c i Wji we obtain the 
desired result. □ 

Lemma [3] is a generalization of the standard result on Z- 
modules stating that if 1/ C L and det(L) = det(L'), then 
L — L' . Although implied in [2] Chap. 1], Lemma [3] is not 
stated, nor proved in the litterature. Yet, it is essential to 
ensure the validity of Algorithm [4] 

Proposition 9. The Ok -module defined by the pseudo- 
basis [(Wi), (ci)] obtained by applying Igorithm^to the pseudo- 
HNF of M modulo g(M) satisfies 

ciWi H h c„W„ = M. 



Lemma 3. Let M = Y.i< n *i A i and M ' = E;<„ b<B< 

tuio n-dimensional Ok -modules such that M 1 C M and 
g(M') = g(M). TTien necessarily 

M = M'. 



PROOF. Let [(Wj),(Ci)] be a pseudo-HNF for M, and 
[(Wj'), (4)] a pseudo-HNF for M'. By assumption, we have 
Ili c * = rii and M' C M. As both matrices W and W 
have a lower triangular shape, it is clear that 

^c'.ir; : »ir.. (4) 

j<i j<i 

As the diagonal coefficients of both W and W' are 1, we see 
by looking at the inclusion in the coefficient i of Q that 
4 C Ci. Then as g(M) = fl(M'), we have 

ViCi = 

Now let us prove by induction that 

Vi, aWi C ciWj + • • • + dWi (5) 

This assertion is clear for i = 1 since Wi = 14 7 ! = ei. Then, 
assuming ((5| for 1, • ■ • , i — 1, we first use the fact that 



ew c ciWi + 



+ dWi. 



